Following last year’s Meltdown and Spectre attacks, new Intel CPU vulnerabilities have emerged. Colloquially named “ZombieLoad,” Google has already taken steps to protect Chromebooks today, while Chrome OS 75 next month features additional mitigations.

“ZombieLoad” — also known as the Microarchitectural Data Sampling (MDS) vulnerabilities — is comprised of four issues that take advantage of CPU design flaws to let attackers read sensitive data. By visiting a website or running an Android app, users could execute code that exploits MDS to read sensitive memory contents.

If Chrome processes are attacked, these sensitive data could include website contents as well as passwords, credit card numbers, or cookies. The vulnerabilities can also be exploited to read host memory from inside a virtual machine, or for an Android App to read privileged process memory (e.g. keymaster).

Given that most Chromebooks are powered by Intel, Google identified 77 currently supported devices that are affected. This includes the Pixelbook and Pixel Slate, as well as Chromebooks from Asus, Acer, Dell, HP, Lenovo, and Samsung. A full list is available below.

Intel was made aware of this issue a month ago and has been working with partners on updated microprocessor microcode. Google’s solution disables Hyper-Threading by default with Chrome OS 74, which rolled out earlier this month.

According to Google, the performance loss should be minimal, but dependent on the workload. Hyper-Threading can be re-enabled on a per machine basis:

The setting is located at chrome://flags#scheduler-configuration. The “performance” setting chooses the configuration that enables Hyper-Threading. The “conservative” setting chooses the configuration that disables Hyper-Threading.

Chrome OS 75 next month will feature additional mitigations. As of Tuesday, May 14th, “Google is not aware of any active exploitation of the MDS vulnerabilities.”

On other Google platforms, the Chrome browser is dependent on Apple and Microsoft fixes for macOS and Windows, respectively. The few Android devices that run Intel are impacted, but Google notes that the “vast majority of Android devices are not affected” due to ARM. More details are available on Chromium and the MDS attacks site that describes the CPU vulnerabilities in-depth.